Recorded Future Integration Guide

Overview

The Recorded Future integration connects NINA workflows to Recorded Future's threat intelligence platform across 19 API resources:

Core Intelligence:

Alert — Manage and query Recorded Future alerts (v2 and v3)
Analyst Note — Create, publish, search, and manage analyst notes
Entity Match — Resolve entity names to RF entity IDs and look up entities
Identity — Query credential exposures, detections, and incident reports
Links — Retrieve verified links between entities from technical analysis and Insikt Group research
List — Read and write user-managed entity watch lists
Playbook Alert — Search, retrieve, and update playbook alerts across all categories
Threat — Retrieve threat maps (actor and malware), search threat actors, and list categories

Connect v2 (Entity Enrichment):

Connect v2 — Entity lookups, risk lists, and enrichment for IPs, domains, hashes, URLs, vulnerabilities, malware, and companies (49 operations)

Detection & Hunting (Autonomous Threat Operations):

Threat Detection — Manage detection profiles, retrieve indicators and detection rules for SIEM/EDR
Threat Hunting — Manage hunting profiles and retrieve threat hunting indicators
Threat Prevention — Manage prevention profiles and retrieve prevention indicators
Intelligence Sources — Create custom intelligence sources and publish reports

Specialized APIs:

Detection Rule — Search YARA, Sigma, and Snort rules authored by Insikt Group
Detection Rule Relation — Fetch entities and entity types associated with detection rules
Malware Intelligence — Query malware data, sandbox reports, and auto-generate YARA/Sigma rules
Risk — Fetch risk history and active risk rules for entities
Fusion v3 — Manage feed files (upload, fetch, delete, browse directories)
SOAR v3 — Bulk threat intelligence risk checks and triage for SOAR platforms

Authentication uses a single API key (X-RFToken header). All modules share the same credential.

Credential Configuration

Authentication

Field	Description	Default
API Key	Your Recorded Future API key (`X-RFToken`)	—
Base URL	API endpoint	`https://api.recordedfuture.com`

How to Get Your Recorded Future API Key

Log in to the Recorded Future Portal
Navigate to User Settings → API Access
Copy your existing key or generate a new one
Verify your key has access to the modules your workflows require (Identity, Playbook Alert, etc.)

Subscription notes:

Identity and Playbook Alert APIs require specific subscription tiers
Some endpoints are in Beta — check Recorded Future docs for current availability

Creating a Credential in NINA

Navigate to Credentials → Add New Credential
Select integration service: Recorded Future
Auth type: API Key
Fill in your API Key and optionally override the Base URL
Click Test Connection then Save

Supported Resources and Operations

Alert

Interact with Recorded Future alerts (rule-triggered intelligence alerts). Supports both the legacy v2 and current v3 APIs.

Operation	Name	HTTP	Description
`listV2Search`	List V2 Search	GET /v2/search	Search alerts with filters (status, assignee, alertRule, freetext, date range)
`listV2SearchDetails`	List V2 Search Details	GET /v2/search/details	Same as above with additional detail fields
`listV3`	List V3	GET /v3	Search alerts using the v3 API (statusInPortal filter)
`getV2ById`	Get V2 By Id	`GET /v2/{alert_id}`	Fetch a single alert by ID (v2)
`getV3ById`	Get V3 By Id	`GET /v3/{alert_id}`	Fetch a single alert by ID (v3) with field selection
`listV3Hits`	List V3 Hits	GET /v3/hits	Fetch a flat collection of hits for one or more alert IDs
`listV3Image`	List V3 Image	GET /v3/image	Fetch raw image data by image ID
`createV2Update`	Create V2 Update	POST /v2/update	Update status/assignee on one or more alerts
`listV2Rule`	List V2 Rule	GET /v2/rule	Search alert rules (freetext, limit, taggedText)

Key parameters for listV2Search / listV2SearchDetails:

status — enum: unassigned, assigned, pending, dismiss, no-action, actionable, tuning
triggered — date range filter (e.g., [-24h,] for last 24 hours)
alertRule — filter by alert rule ID
limit / from — pagination (max limit+from = 1000)
direction — asc or desc

Analyst Note

Create, publish, look up, export, and delete analyst notes in Recorded Future.

Operation	Name	HTTP	Description
`searchSearch`	Search	POST /search	Search analyst notes by entity, topic, title, label, date, source
`createLookupById`	Lookup By Id	`POST /lookup/{note_id}`	Fetch a specific analyst note by ID
`createDraft`	Create Draft	POST /draft	Save a note as a draft
`createPreview`	Create Preview	POST /preview	Preview note rendering before publishing
`createPublish`	Create Publish	POST /publish	Publish or edit an analyst note
`deleteDeleteById`	Delete By Id	`DELETE /delete/{note_id}`	Delete an analyst note by ID
`getAttachmentById`	Get Attachment	`GET /attachment/{note_id}`	Retrieve an attachment for a note
`getExportByFormatById`	Export By Format	`GET /export/{format}/{note_id}`	Export a note as `html` or `pdf`

Common parameters:

note_id — required for all *ById operations (path parameter)
attributes — note content object (title, text, topic, etc.)
source — entity ID for the note source
tagged_text — boolean; inline entity tags in output
serialization — id, min, or full

Entity Match

Resolve entity names to Recorded Future IDs and look up entities by ID. Useful as a pre-step before other operations that require RF entity IDs.

Operation	Name	HTTP	Description
`createEntityMatchMatch`	Match Entities	POST /entity-match/match	Find entity IDs by name (and optionally type)
`getEntityMatchEntityById`	Get Entity By Id	`GET /entity-match/entity/{id}`	Look up a specific entity by its RF ID

Parameters for createEntityMatchMatch:

name (required) — entity name to search
type — array of entity types to filter (e.g., ["IpAddress", "InternetDomainName"])
limit — number of results (default: 10)

Identity

Query Recorded Future's Identity Intelligence module for credential exposures, compromised accounts, and incident reports.

Operation	Name	HTTP	Description
`searchCredentials`	Search Credentials	POST /identity/credentials/search	Search exposed credentials by domain
`lookupCredentials`	Lookup Credentials	POST /identity/credentials/lookup	Look up credentials by subject, SHA1 hash, or login
`lookupPassword`	Lookup Password	POST /identity/password/lookup	Check if specific passwords have been exposed
`lookupHostname`	Lookup Hostname	POST /identity/hostname/lookup	Find credential exposure for a hostname
`lookupIP`	Lookup IP	POST /identity/ip/lookup	Find credential exposure for an IP or IP range
`getDetections`	Get Detections	POST /identity/detections	(Beta) List identity detections for an organization
`getIncidentReport`	Get Incident Report	POST /identity/incident/report	Get a detailed incident report for a data dump/breach
`getDumpMetadata`	Get Dump Metadata	POST /identity/metadata/dump/search	Search metadata for known data dumps by name

Common parameters:

organization_id — string; scopes results to your organization
domains / domain_types — filter by domain for credential searches
limit / offset — pagination

lookupCredentials lookup methods (use one):

subjects — list of email addresses or usernames to look up directly
subjects_sha1 — list of SHA1-hashed subject identifiers (privacy-preserving)
subjects_login + subjects_domain — paired arrays for domain/login lookup (e.g., login: ["j.doe"], domain: ["corp.com"]). Both arrays are required and matched by index. The API requires a domain for each login entry.

lookupPassword parameters:

passwords — array of password hash objects, each with:
- algorithm (required) — hash algorithm enum: SHA1, SHA256, MD5, NTLM, BCRYPT, and 20 others
- hash — full hash value (use this OR hash_prefix)
- hash_prefix — hash prefix for partial matching (use this OR hash)

getDetections filter object children:

novel_only / malware_only — boolean filters
domains — array of domain names
detection_types / detection_type — enum: Workforce, External, Vip
cookies — enum: Cookies, UnexpiredCookies
authorization_technology — object with any (boolean), id (array), name (array)
created — date range object with gte / lt (ISO-8601)

Credential filter parameters (available on searchCredentials, lookupCredentials, lookupHostname, lookupIP):

time_window — quick preset: last_24h, last_7d, last_30d, last_90d (overrides date filters below)
first_downloaded_gte — credentials first seen after this date (ISO-8601)
latest_downloaded_gte — credentials last downloaded after this date
exfiltration_date_gte — malware exfiltration date filter
properties — enum array: Letter, Number, Symbol, UpperCase, LowerCase, MixedCase, AtLeast8Characters, AtLeast10Characters, AtLeast12Characters, AtLeast16Characters, AtLeast24Characters, Cookies, UnexpiredCookies, AuthorizationTechnology, MalwareOnly
username_properties — enum array: Email
breach_properties — object with name and date children
dump_properties — object with name and date children
authorization_technologies — free-text array (e.g., SAML, OAuth, Okta Single Sign-On)
authorization_protocols — free-text array (e.g., RDP, SSH, HTTPS, FTP)
malware_families — free-text array (e.g., RedLine Stealer, Vidar Stealer)
mask_passwords — boolean; masks cleartext passwords in response (keeps first 2 chars visible)

List

Read and write user-managed entity watch lists in Recorded Future.

Operation	Name	HTTP	Description
`createListCreate`	Create List	POST /list/create	Create a new watch list
`searchListSearch`	Search Lists	POST /list/search	Find lists by name or type
`getListInfoByListid`	Get List Info	`GET /list/{listId}/info`	Get metadata for a specific list
`getListStatusByListid`	Get List Status	`GET /list/{listId}/status`	Get status information for a list
`getListEntitiesByListid`	Get List Entities	`GET /list/{listId}/entities`	Get entities on a list
`getListEntitieswithtagsByListid`	Get List Entities With Tags	`GET /list/{listId}/entitiesWithTags`	Get entities including their list-specific tags
`getListTextentriesByListid`	Get List Text Entries	`GET /list/{listId}/textEntries`	Get text entries on a list
`createListEntityAddByListid`	Add Entity To List	`POST /list/{listId}/entity/add`	Add an entity to a list
`createListEntityRemoveByListid`	Remove Entity From List	`POST /list/{listId}/entity/remove`	Remove an entity from a list
`createListEntityTagsByListid`	Update Entity Tags	`POST /list/{listId}/entity/tags`	Set all tags for an entity on a watch list (replaces existing)

Key parameters:

listId (required) — path parameter identifying the target list; use searchListSearch to find IDs
entity — object with id and/or name fields
type — list type filter (e.g., ip, domain, hash, url, vulnerability)

Playbook Alert

Programmatic access to Recorded Future Playbook Alerts — structured, analyst-ready alerts with typed categories (Domain Abuse, Vulnerability, Malware, etc.).

Core Operations

Operation	Name	HTTP	Description
`searchSearch`	Search	POST /search	Search playbook alerts with filters (status, priority, category, assignee, date ranges)
`getCommonById`	Get Common By Id	`GET /common/{playbook_alert_id}`	Fetch common preview data for any playbook alert
`updateCommonById`	Update Common By Id	`PUT /common/{playbook_alert_id}`	Update status, priority, assignee, or add log entries
`listMetadataCommon`	List Metadata Common	GET /metadata/common	Enumerate valid statuses, priorities, and categories
`createMetadataAssignees`	Create Metadata Assignees	POST /metadata/assignees	List available assignees for a playbook alert

Category-Specific Operations

Each category supports both single-ID and bulk lookup:

Category	Single ID Operation	Bulk Operation
Domain Abuse	`createDomainAbuseById`	`createDomainAbuse`
Vulnerability	`createVulnerabilityById`	`createVulnerability`
Code Repo Leakage	`createCodeRepoLeakageById`	`createCodeRepoLeakage`
Third Party Risk	`createThirdPartyRiskById`	`createThirdPartyRisk`
Identity Novel Exposures	`createIdentityNovelExposuresById`	`createIdentityNovelExposures`
Geopolitics Facility	`createGeopoliticsFacilityById`	`createGeopoliticsFacility`
Malware Report	`createMalwareReportById`	`createMalwareReport`
Compromised Bank Checks	`createCompromisedBankChecksById`	`createCompromisedBankChecks`

Single-ID operations accept playbook_alert_id (required path param) + optional panels array. Bulk operations accept playbook_alert_ids array (required) + optional panels array. Bulk max: 250 IDs.

Image Operations

Operation	Name	HTTP	Description
`getDomainAbuseImageByIdById`	Get Domain Abuse Image	`GET /domain_abuse/{playbook_alert_id}/image/{image_id}`	Screenshot for a Domain Abuse alert
`getGeopoliticsFacilityImageById`	Get Geopolitics Facility Image	`GET /geopolitics_facility/image/{image_id}`	Image for a Geopolitics Facility alert
`getCompromisedBankChecksImageById`	Get Compromised Bank Checks Image	`GET /compromised_bank_checks/image/{playbook_alert_id}`	Check image for a Compromised Bank Checks alert

Key searchSearch parameters:

statuses — array; enum: New, InProgress, Dismissed, Resolved
priority — array; enum: High, Moderate, Informational
category — array; enum: domain_abuse, cyber_vulnerability, code_repo_leakage, third_party_risk, identity_novel_exposures, geopolitics_facility
assignee — array of assignee IDs
created_range / updated_range — time range objects with from and until children (ISO-8601 date-time)
entity — array of RF entity IDs
limit / offset — pagination (max limit+from = 10,000)
order_by — created or modified; direction — asc or desc

Key updateCommonById parameters:

status — enum: New, InProgress, Dismissed, Resolved
priority — enum: High, Moderate, Informational
reopen — enum: Never, SignificantUpdates (only valid for Dismissed/Resolved alerts)
assignee — assignee ID string
log_entry — freetext message (max 5000 chars)
added_actions_taken / removed_actions_taken — arrays of action IDs (only when status is Dismissed or Resolved)

Threat

Retrieve threat intelligence maps, search threat actors, and list categories for filtering. Threat maps show actor/malware activity mapped against your organization's watchlists.

Operation	Name	HTTP	Description
`getMaps`	Get Maps	GET /threat/maps	List available threat maps for your account
`getActorThreatMap`	Get Actor Threat Map	POST /threat/map/actors	Actor threat map for your primary organization
`getActorThreatMapByOrg`	Get Actor Threat Map By Org	`POST /threat/map/{orgId}/actors`	Actor threat map for a specific organization
`getMalwareThreatMap`	Get Malware Threat Map	POST /threat/map/malware	Malware threat map for your primary organization
`getMalwareThreatMapByOrg`	Get Malware Threat Map By Org	`POST /threat/map/{orgId}/malware`	Malware threat map for a specific organization
`searchActors`	Search Threat Actors	POST /threat/actor/search	Search threat actors by name with pagination
`getActorCategories`	Get Actor Categories	GET /threat/actor/categories	List threat actor categories (for filtering maps)
`getMalwareCategories`	Get Malware Categories	GET /threat/malware/categories	List malware categories (for filtering maps)

Threat map filter parameters (for getActorThreatMap / getActorThreatMapByOrg):

actors — array of threat actor IDs to filter by
categories — array of actor category IDs
watchlists — array of watchlist IDs to include

Malware map filter parameters (for getMalwareThreatMap / getMalwareThreatMapByOrg):

malware — array of malware IDs to filter by
categories — array of malware category IDs
watchlists — array of watchlist IDs to include

searchActors parameters:

name — search string (matches names, common names, and aliases)
limit — max results, 1-10000 (default: 10000)
offset — pagination token from next_offset in previous response

Links

Retrieve verified links between entities. Links come from technical analysis of cyber threats or Insikt Group research. Useful for understanding relationships between indicators.

Operation	Name	HTTP	Description
`search`	Search Links	POST /links/search	Search for verified links related to one or more entities
`getMetadataEntities`	Get Entity Types	GET /links/metadata/entities	List available entity types for filtering search results
`getMetadataEvents`	Get Event Types	GET /links/metadata/events	List available technical analysis source types
`getMetadataSections`	Get Link Sections	GET /links/metadata/sections	List available link relationship types (e.g., Victims & Exploit Targets)

Key search parameters:

entities (required) — array of RF entity IDs to find links for
filters — object with children:
- sections — array of link section types (use getMetadataSections for values)
- entity_types — array of entity types to return (use getMetadataEntities for values)
- sources — array: technical, insikt, or both
- technical — nested object with timeframe (ISO date or relative like -30d, max 90 days), events, and connected_entities
limits — object with search_scope (small, medium, large) and per_entity_type (max entities per type)

Connect v2

Entity enrichment and risk intelligence. Provides search, lookup, risk lists, risk rules, and Intelligence Card extensions for 7 entity types, plus entity list management and fusion file operations.

Company (5 operations)

Operation	Name	HTTP	Description
`searchCompany`	Search Company	GET /v2/company/search	Search companies by freetext, risk score, risk rule, industry, domicile
`lookupCompany`	Lookup Company	`GET /v2/company/{id}`	Enrich a single company by ID
`lookupCompanyByDomain`	Lookup Company By Domain	`GET /v2/company/by_domain/{domain}`	Find a company by a domain it owns
`listCompanyReferences`	List Company References	`GET /v2/company/{id}/references`	List references (credential leaks, dark web mentions)
`listCompanyRiskRules`	List Company Risk Rules	GET /v2/company/riskrules	List current risk rules for companies

Domain (7 operations)

Operation	Name	HTTP	Description
`searchDomain`	Search Domain	GET /v2/domain/search	Search domains by risk score, risk rule, date filters
`lookupDomain`	Lookup Domain	`GET /v2/domain/{id}`	Enrich a single domain by ID
`lookupDomainExtension`	Lookup Domain Extension	`GET /v2/domain/{id}/extension/{extension}`	Query Intelligence Card extension (e.g., VirusTotal, Shodan)
`getDomainRiskList`	Get Domain Risk List	GET /v2/domain/risklist	Download domain risk list (CSV, STIX formats)
`statDomainRiskList`	Stat Domain Risk List	HEAD /v2/domain/risklist	Check if risk list has been modified (ETag)
`listDomainRiskRules`	List Domain Risk Rules	GET /v2/domain/riskrules	List current risk rules for domains
`getDomainDemoEvents`	Get Domain Demo Events	GET /v2/domain/demoevents	Fetch sample data for testing

Hash (7 operations)

Operation	Name	HTTP	Description
`searchHash`	Search Hash	GET /v2/hash/search	Search hashes by algorithm, risk score, risk rule
`lookupHash`	Lookup Hash	`GET /v2/hash/{id}`	Enrich a single hash by ID
`lookupHashExtension`	Lookup Hash Extension	`GET /v2/hash/{id}/extension/{extension}`	Query Intelligence Card extension
`getHashRiskList`	Get Hash Risk List	GET /v2/hash/risklist	Download hash risk list
`statHashRiskList`	Stat Hash Risk List	HEAD /v2/hash/risklist	Check if risk list has been modified
`listHashRiskRules`	List Hash Risk Rules	GET /v2/hash/riskrules	List current risk rules for hashes
`getHashDemoEvents`	Get Hash Demo Events	GET /v2/hash/demoevents	Fetch sample data for testing

IP (7 operations)

Operation	Name	HTTP	Description
`searchIp`	Search IP	GET /v2/ip/search	Search IPs by range, location, risk score, risk rule
`lookupIp`	Lookup IP	`GET /v2/ip/{id}`	Enrich a single IP by ID
`lookupIpExtension`	Lookup IP Extension	`GET /v2/ip/{id}/extension/{extension}`	Query Intelligence Card extension (GreyNoise, Shodan, etc.)
`getIpRiskList`	Get IP Risk List	GET /v2/ip/risklist	Download IP risk list
`statIpRiskList`	Stat IP Risk List	HEAD /v2/ip/risklist	Check if risk list has been modified
`listIpRiskRules`	List IP Risk Rules	GET /v2/ip/riskrules	List current risk rules for IPs
`getIpDemoEvents`	Get IP Demo Events	GET /v2/ip/demoevents	Fetch sample data for testing

URL (7 operations)

Operation	Name	HTTP	Description
`searchUrl`	Search URL	GET /v2/url/search	Search URLs by freetext, risk score, risk rule
`lookupUrl`	Lookup URL	`GET /v2/url/{id}`	Enrich a single URL by ID
`lookupUrlExtension`	Lookup URL Extension	`GET /v2/url/{id}/extension/{extension}`	Query Intelligence Card extension
`getUrlRiskList`	Get URL Risk List	GET /v2/url/risklist	Download URL risk list
`statUrlRiskList`	Stat URL Risk List	HEAD /v2/url/risklist	Check if risk list has been modified
`listUrlRiskRules`	List URL Risk Rules	GET /v2/url/riskrules	List current risk rules for URLs
`getUrlDemoEvents`	Get URL Demo Events	GET /v2/url/demoevents	Fetch sample data for testing

Vulnerability (7 operations)

Operation	Name	HTTP	Description
`searchVulnerability`	Search Vulnerability	GET /v2/vulnerability/search	Search CVEs by risk/CVSS score, product, CPE
`lookupVulnerability`	Lookup Vulnerability	`GET /v2/vulnerability/{id}`	Enrich a single vulnerability by ID
`lookupVulnerabilityExtension`	Lookup Extension	`GET /v2/vulnerability/{id}/extension/{extension}`	Query Intelligence Card extension (EPSS, Mandiant, etc.)
`getVulnerabilityRiskList`	Get Vuln Risk List	GET /v2/vulnerability/risklist	Download vulnerability risk list
`statVulnerabilityRiskList`	Stat Vuln Risk List	HEAD /v2/vulnerability/risklist	Check if risk list has been modified
`listVulnerabilityRiskRules`	List Vuln Risk Rules	GET /v2/vulnerability/riskrules	List current risk rules for vulnerabilities
`getVulnerabilityDemoEvents`	Get Vuln Demo Events	GET /v2/vulnerability/demoevents	Fetch sample data for testing

Malware (3 operations)

Operation	Name	HTTP	Description
`searchMalware`	Search Malware	GET /v2/malware/search	Search malware entities by name, date filters
`lookupMalware`	Lookup Malware	`GET /v2/malware/{id}`	Enrich a single malware entity by ID
`lookupMalwareExtension`	Lookup Malware Extension	`GET /v2/malware/{id}/extension/{extension}`	Query Intelligence Card extension

Entity List & Fusion File (6 operations)

Operation	Name	HTTP	Description
`searchEntityList`	Search Entity List	GET /v2/entitylist/search	Search for entity lists
`lookupEntityList`	Lookup Entity List	`GET /v2/entitylist/{id}`	Lookup a specific entity list by ID
`getFusionFile`	Get Fusion File	GET /v2/fusion/files	Fetch a feed file or list directory content
`statFusionFile`	Stat Fusion File	HEAD /v2/fusion/files	Check if a feed file has been modified
`uploadFusionFile`	Upload Fusion File	POST /v2/fusion/files	Upload a feed file
`deleteFusionFile`	Delete Fusion File	DELETE /v2/fusion/files	Delete a feed file

Common parameters across all Connect v2 search operations:

fields — comma-separated enrichment fields to return
metadata — boolean; annotate response with field descriptions
limit / from — pagination (limit + from cannot exceed 1000)
riskScore — range filter (e.g., [20, 80])
firstSeen / lastSeen — date filters
riskRule — filter by a specific risk rule (each entity type has its own enum)
orderBy — sort field; direction — asc or desc

Intelligence Card extensions — each entity type has a different set of available extensions (VirusTotal, Shodan, GreyNoise, Mandiant, etc.). The extension name is a path parameter.

Threat Detection

Manage threat detection profiles for SIEM/EDR deployment. Part of the Autonomous Threat Operations API.

Operation	Name	HTTP	Description
`getProfiles`	Get Detection Profiles	GET	Retrieve detection profiles for the authenticated integration user
`queryProfiles`	Query Detection Profiles	POST	Filter detection profiles by IDs, enterprise, integration, organizations
`getProfileIndicators`	Get Profile Indicators	POST	Retrieve current indicators (domains, hashes, IPs, URLs) for a profile
`getProfileRules`	Get Profile Detection Rules	POST	Retrieve detection rules (fql, kql, sigma, snort, yara, etc.) for a profile
`submitResults`	Submit Detection Results	POST	Submit detection results for a profile

Key parameters for getProfileIndicators:

id (required) — Detection Profile ID (UUID)
filter — object with types (domain, hash, ip, url) and algorithms (MD5, SHA-1, SHA-256, etc.)
include — object with risk.score and risk.rules booleans
limit / offset — pagination

Threat Hunting

Manage threat hunting profiles. Same structure as Threat Detection but focused on proactive hunting indicators.

Operation	Name	HTTP	Description
`getProfiles`	Get Hunting Profiles	GET	Retrieve hunting profiles
`queryProfiles`	Query Hunting Profiles	POST	Filter hunting profiles
`getProfileIndicators`	Get Profile Indicators	POST	Retrieve hunting indicators for a profile
`submitResults`	Submit Hunting Results	POST	Submit hunting results for a profile

Threat Prevention

Manage threat prevention profiles for blocking and prevention controls.

Operation	Name	HTTP	Description
`getProfiles`	Get Prevention Profiles	GET	Retrieve prevention profiles
`queryProfiles`	Query Prevention Profiles	POST	Filter prevention profiles
`getProfileIndicators`	Get Profile Indicators	POST	Retrieve prevention indicators for a profile
`submitResults`	Submit Prevention Results	POST	Submit prevention results for a profile

Intelligence Sources

Create and manage custom intelligence sources. Publish reports with observables, TTPs, malware, and threat actors.

Operation	Name	HTTP	Description
`getSources`	Get Sources	GET	List all custom intelligence sources
`createSource`	Create Source	POST	Create a new custom intelligence source
`getSource`	Get Source	GET	Get a source by ID
`updateSource`	Update Source	PUT	Update a source's name and description
`publishReports`	Publish Reports	POST	Publish reports with observables to a source

publishReports parameters:

id (required) — Source ID (UUID)
reports (required) — array of reports, each requiring observables (array of entity IDs like ip:127.0.0.1). Optional: externalId, tlp (clear/green/amber/amber+strict/red), ttp (MITRE IDs like mitre:T1082), malware, threatActor, timestamp

Detection Rule

Search for YARA, Sigma, and Snort detection rules authored by Recorded Future's Insikt Group.

Operation	Name	HTTP	Description
`search`	Search Detection Rules	POST /search	Search rules by type, entity, date range, title

Key parameters:

filter — object with children:
- types — enum array: sigma, yara, snort
- entities — array of entity IDs (e.g., mitre:T1486)
- created / updated — date range objects with before and after (ISO 8601)
- doc_id — document identity
- title — free text search on the published Insikt Note title
tagged_entities — boolean; include entity tags in text (default: false)
limit — max results (default: 10)
offset — pagination token

Detection Rule Relation

Fetch entities and entity types associated with detection rules. Useful for building filter UIs.

Operation	Name	HTTP	Description
`fetchEntities`	Fetch Entities	GET /entity/list	List all entities associated with any detection rule
`fetchTypes`	Fetch Types	GET /entity/types	List all entity types associated with detection rules

Both operations are parameterless.

Malware Intelligence

Query malware data, get sandbox reports, and generate YARA/Sigma detection rules automatically.

Query Operations

Operation	Name	HTTP	Description
`queryMalwareIntelligence`	Query (Custom Language)	POST /v1/query	Search malware data using Recorded Future query language
`queryMalwareIntelligenceNL`	Query (Natural Language)	POST /v1/query_nl	Search malware data using natural language
`queryMalwareIntelligenceIOCs`	Query IOCs	POST /v1/query_iocs	Search malware data with lists of IOCs
`getSandboxReports`	Get Sandbox Reports	POST /v1/reports	Get sandbox analysis reports for a file hash

Common query parameters:

field (required) — enum: sha256, ip_address, domain, url, command_line, ttp, dst_port, signature, ioc, tag, score, asn, submitter_industry, imported_dll, dumped_file_sha256, dumped_file_path, registry_key_read, registry_key_created, pe_issuer
start_date (required) — earliest date (cannot be before 2023-11-01)
end_date — latest date (defaults to today)
my_enterprise — boolean; restrict to your organization's samples
page — zero-indexed page number
sandbox_score / links — boolean; include additional data in response

IOC query specific: sha256_list, ip_list, domain_list, url_list (use one or more), operator — enum: and, or

Auto YARA (6 operations)

Operation	Name	HTTP	Description
`create_job_yara_rule_service_jobs_post`	Create YARA Job	POST	Create a YARA rule generation job from up to 100 SHA-256 hashes
`get_jobs_yara_rule_service_jobs_get`	Get All YARA Jobs	GET	List all YARA jobs
`edit_job_yara_rule_service_jobs_edit_post`	Edit YARA Job	POST	Update a job's YARA rule string
`get_job_yara_rule_service_jobs__job_id__get`	Get YARA Job	GET	Get result of a specific job
`delete_job_yara_rule_service_jobs__job_id__get`	Delete YARA Job	DELETE	Delete a job
`retryYaraJob`	Retry YARA Job	POST	Retry a failed job

Auto Sigma (6 operations)

Operation	Name	HTTP	Description
`createSigmaJob`	Create Sigma Job	POST	Create a Sigma rule generation job
`getSigmaJobs`	Get All Sigma Jobs	POST	List all Sigma jobs (with limit/offset)
`getSigmaJob`	Get Sigma Job	GET	Get result of a specific job
`deleteSigmaJob`	Delete Sigma Job	DELETE	Delete a job
`updateSigmaRule`	Update Sigma Rule	POST	Update a rule's YAML and status
`retrySigmaRule`	Retry Sigma Job	POST	Retry a failed job

updateSigmaRule status enum: True Positive, False Positive, Benign Behavior, No Root Cause, Needs Tuning, New

Risk

Fetch risk history and active risk rules for entities.

Operation	Name	HTTP	Description
`search-risk-histories`	Search Risk Histories	POST /history	Get risk score, criticality, and risk rule history for entities over a date range
`get-active-risk-rule`	Get Active Risk Rule	POST /active/rule	Fetch one active risk rule (by alias) with paginated enriched evidence

search-risk-histories parameters:

entities (required) — array of entity IDs
from / to — date range (ISO 8601, defaults to 30-day window)

get-active-risk-rule parameters:

company (required) — company entity ID
rule_alias (required) — risk rule alias
limit / offset — pagination for evidence records

Fusion v3

Manage Recorded Future feed files — upload custom data, download feeds, and browse file directories.

Operation	Name	HTTP	Description
`getFile`	Fetch File	`GET /files/{path}`	Download a feed file
`headFile`	Stat File	`HEAD /files/{path}`	Check file metadata without downloading
`uploadFile`	Upload File	`POST /files/{path}`	Upload a feed file
`deleteFile`	Delete File	`DELETE /files/{path}`	Delete a feed file
`getDirectory`	Fetch Directory	`GET /files/directory/{path}`	List directory contents

Note: File paths may require URL encoding (/ as %2F).

SOAR v3

High-throughput bulk risk checks for SOAR platform integration. Supports 5 IOC types: IP, Domain, Hash, URL, and Vulnerability.

Operation	Name	HTTP	Description
`createEnrichment`	Create Enrichment	POST /enrichment	Batch enrichment of up to 1000 IOCs with risk scores and rules
`listTriageContexts`	List Triage Contexts	GET /triage/contexts	List all available risk contexts
`createTriageContext`	Create Triage Context	`POST /triage/contexts/{context_name}`	Triage IOCs against a specific risk context

IOC parameters (shared between enrichment and triage):

ip, domain, hash, url, vulnerability, companybydomain — arrays of IOC values (max 1000 total per request)

Triage-specific parameters:

context_name (required) — the risk context to evaluate against (use listTriageContexts for available values)
format — enum: phantom (Splunk SOAR output format)
threshold — risk score threshold for deeming an entity risky
threshold_type — enum: min, max (default: max)

Examples

Search for Open Playbook Alerts

{
  "integration_service": "recorded-future",
  "resource": "playbook-alert",
  "operation": "searchSearch",
  "parameters": {
    "statuses": ["New"],
    "priority": ["High"],
    "order_by": "created",
    "direction": "desc",
    "limit": 25
  }
}

Update a Playbook Alert Status

{
  "integration_service": "recorded-future",
  "resource": "playbook-alert",
  "operation": "updateCommonById",
  "parameters": {
    "playbook_alert_id": "abc-123-xyz",
    "status": "InProgress",
    "assignee": "uhash:40wXmPVONA",
    "log_entry": "Reviewed domain registration — confirmed abuse. Escalating."
  }
}

Get Domain Abuse Alert Detail

{
  "integration_service": "recorded-future",
  "resource": "playbook-alert",
  "operation": "createDomainAbuseById",
  "parameters": {
    "playbook_alert_id": "abc-123-xyz",
    "panels": ["dns", "whois", "screenshot"]
  }
}

Search Exposed Credentials by Domain

{
  "integration_service": "recorded-future",
  "resource": "identity",
  "operation": "searchCredentials",
  "parameters": {
    "domains": ["example.com", "corp.example.com"],
    "domain_types": ["corporate"],
    "limit": 50
  }
}

Look Up Credentials for Specific Users

{
  "integration_service": "recorded-future",
  "resource": "identity",
  "operation": "lookupCredentials",
  "parameters": {
    "subjects": ["[email protected]", "[email protected]"],
    "limit": 100
  }
}

Use subjects_login + subjects_domain when you have a login/domain pair rather than an email:

{
  "integration_service": "recorded-future",
  "resource": "identity",
  "operation": "lookupCredentials",
  "parameters": {
    "subjects_login": ["j.doe", "admin"],
    "subjects_domain": ["corp.example.com", "portal.example.com"],
    "limit": 50
  }
}

Search Credentials with Filters

{
  "integration_service": "recorded-future",
  "resource": "identity",
  "operation": "searchCredentials",
  "parameters": {
    "domains": ["example.com"],
    "time_window": "last_30d",
    "properties": ["AtLeast8Characters", "MixedCase"],
    "malware_families": ["RedLine Stealer"],
    "limit": 100
  }
}

Get Actor Threat Map

{
  "integration_service": "recorded-future",
  "resource": "threat",
  "operation": "getActorThreatMap",
  "parameters": {
    "categories": ["GK7qU"],
    "watchlists": ["report:Hsxme2"]
  }
}

Search Threat Actors

{
  "integration_service": "recorded-future",
  "resource": "threat",
  "operation": "searchActors",
  "parameters": {
    "name": "Fancy Bear",
    "limit": 10
  }
}

Resolve an Entity Name to RF ID

{
  "integration_service": "recorded-future",
  "resource": "entity-match",
  "operation": "createEntityMatchMatch",
  "parameters": {
    "name": "APT29",
    "type": ["ThreatActor"],
    "limit": 5
  }
}

Search Alerts by Status

{
  "integration_service": "recorded-future",
  "resource": "alert",
  "operation": "listV2Search",
  "parameters": {
    "status": "unassigned",
    "triggered": "[-7d,]",
    "limit": 50,
    "direction": "desc"
  }
}

Add Entity to a Watch List

{
  "integration_service": "recorded-future",
  "resource": "list",
  "operation": "createListEntityAddByListid",
  "parameters": {
    "listId": "my-list-id-here",
    "entity": { "id": "ip:8.8.8.8" },
    "context": { "comment": "Added during incident IR-2024-001" }
  }
}

Search Analyst Notes

{
  "integration_service": "recorded-future",
  "resource": "analyst-note",
  "operation": "searchSearch",
  "parameters": {
    "entity": "idn:example.com",
    "published": "-30d",
    "limit": 20,
    "serialization": "full"
  }
}

Enrich an IP via Connect v2

{
  "integration_service": "recorded-future",
  "resource": "connect-v2",
  "operation": "lookupIp",
  "parameters": {
    "id": "ip:8.8.8.8",
    "fields": "intelCard,risk,sightings",
    "metadata": true
  }
}

Search for YARA/Sigma Detection Rules

{
  "integration_service": "recorded-future",
  "resource": "detection-rule",
  "operation": "search",
  "parameters": {
    "filter": {
      "types": ["sigma", "yara"],
      "entities": ["mitre:T1486"]
    },
    "limit": 20
  }
}

Bulk SOAR Enrichment

{
  "integration_service": "recorded-future",
  "resource": "soar-v3",
  "operation": "createEnrichment",
  "parameters": {
    "ip": ["1.2.3.4", "5.6.7.8"],
    "domain": ["suspicious-domain.com"],
    "hash": ["d41d8cd98f00b204e9800998ecf8427e"],
    "metadata": true
  }
}

Search Entity Links

{
  "integration_service": "recorded-future",
  "resource": "links",
  "operation": "search",
  "parameters": {
    "entities": ["ip:1.2.3.4"],
    "filters": {
      "sources": ["technical", "insikt"],
      "technical": {
        "timeframe": "-30d"
      }
    },
    "limits": {
      "search_scope": "medium",
      "per_entity_type": 10
    }
  }
}

Get Risk History for Entities

{
  "integration_service": "recorded-future",
  "resource": "risk",
  "operation": "search-risk-histories",
  "parameters": {
    "entities": ["idn:example.com", "ip:1.2.3.4"],
    "from": "2026-03-01T00:00:00Z",
    "to": "2026-04-01T00:00:00Z"
  }
}

Bulk Vulnerability Playbook Alert Lookup

{
  "integration_service": "recorded-future",
  "resource": "playbook-alert",
  "operation": "createVulnerability",
  "parameters": {
    "playbook_alert_ids": ["alert-id-1", "alert-id-2", "alert-id-3"],
    "panels": ["summary", "affected_products"]
  }
}

Common Workflow Patterns

Playbook Alert Triage Workflow

searchSearch (playbook-alert) — fetch new/unassigned alerts
getCommonById — get preview for each alert
createDomainAbuseById / createVulnerabilityById / etc. — get category-specific detail
updateCommonById — set status, assign to analyst, add log entry

Identity Exposure Investigation

searchCredentials — find exposed accounts for your domains (use time_window or date filters to scope)
lookupCredentials — look up specific users by email (subjects) or by login/domain pair (subjects_login + subjects_domain)
getIncidentReport — get full incident report for a known breach source
getDumpMetadata — look up metadata about a specific dump by name

Entity-Driven Intelligence

createEntityMatchMatch (entity-match) — resolve an observable name to RF entity ID
Use the entity ID in searchSearch (analyst-note or playbook-alert) to find related intelligence
getEntityMatchEntityById — enrich entity with full RF metadata

Threat Map Analysis

getMaps (threat) — list available threat maps for your organization
getActorCategories / getMalwareCategories — fetch category IDs for filtering
getActorThreatMap or getMalwareThreatMap — retrieve the threat map with optional filters
searchActors — search for specific threat actors by name for deeper investigation

Watch List Management

searchListSearch — find your target list by name
getListEntitiesByListid — review current list contents
createListEntityAddByListid / createListEntityRemoveByListid — add/remove entities
getListStatusByListid — verify list sync status

IOC Enrichment via Connect v2

searchIp / searchDomain / searchHash — find entities matching risk criteria
lookupIp / lookupDomain / lookupHash — enrich with full intelligence
lookupIpExtension — get third-party context (GreyNoise, Shodan, VirusTotal)
getIpRiskList — download full risk list for SIEM ingestion

Detection Rule Deployment

search (detection-rule) — find rules by MITRE ATT&CK technique or date
getProfiles (threatDetection) — list detection profiles for your SIEM
getProfileRules — retrieve Sigma/YARA rules for a specific profile
getProfileIndicators — retrieve current IOC indicators for blocking
submitResults — report detection results back to Recorded Future

SOAR Triage Pipeline

listTriageContexts (soar-v3) — get available risk contexts
createTriageContext — triage IOCs against a context with threshold
Use results to auto-classify alerts as actionable or benign

Malware Analysis

queryMalwareIntelligence (malware-intelligence) — search for malware patterns
getSandboxReports — get detailed sandbox analysis for a hash
create_job_yara_rule_service_jobs_post — auto-generate YARA rule from samples
createSigmaJob — auto-generate Sigma rule for SIEM detection

Troubleshooting

Issue	Resolution
401 Unauthorized	API key invalid or expired — verify in RF portal and update credential
403 Forbidden	Subscription does not include this endpoint (e.g., Identity, Playbook Alert)
404 Not Found	Wrong entity/alert/note ID, or endpoint path mismatch
429 Too Many Requests	Rate limit hit — implement exponential backoff; reduce request frequency
Empty results	Entity or alert may not exist in RF database; verify IDs from a prior search
Missing path parameter error	Ensure `playbook_alert_id`, `alert_id`, `note_id`, or `listId` is included in params
Bulk request limit exceeded	Playbook alert bulk ops max 250 IDs per request — split into batches
Identity data unavailable	Requires Identity Intelligence subscription tier
Playbook alerts unavailable	Requires Playbook Alert subscription — confirm with RF account team
`panels` returns partial data	Specific panels may not apply to all alert subtypes; omit to return all available panels
400 error on `lookupCredentials` with `subjects_login`	`subjects_domain` is required when using `subjects_login` — provide both arrays matched by index
400 error on `lookupPassword`	`passwords` must be an array of hash objects (`{algorithm, hash}`), not plain password strings
Wrong enum values on `updateCommonById`	Use exact casing: `InProgress` (not `in-progress`), `High` (not `high`), `Resolved` (not `resolved`)

Security Considerations

Protect API Keys: Store exclusively through NINA credential management — never in workflow parameters or logs
Sensitive Data: Credential lookups and identity data are highly sensitive — restrict workflow access accordingly
IOC Submission Awareness: IOCs submitted to RF APIs may be logged for service improvement
Subscription Scoping: Ensure your API key subscription tier covers the modules your workflows use
Credential Rotation: Rotate API keys regularly; revoke immediately if compromised

Additional Resources

Updated: 2026-04-20

Overview​

Credential Configuration​

Authentication​

How to Get Your Recorded Future API Key​

Creating a Credential in NINA​

Supported Resources and Operations​

Alert​

Analyst Note​

Entity Match​

Identity​

List​

Playbook Alert​

Core Operations​

Category-Specific Operations​

Image Operations​

Threat​

Links​

Connect v2​

Company (5 operations)​

Domain (7 operations)​

Hash (7 operations)​

IP (7 operations)​

URL (7 operations)​

Vulnerability (7 operations)​

Malware (3 operations)​

Entity List & Fusion File (6 operations)​

Threat Detection​

Threat Hunting​

Threat Prevention​

Intelligence Sources​

Detection Rule​

Detection Rule Relation​

Malware Intelligence​

Query Operations​

Auto YARA (6 operations)​

Auto Sigma (6 operations)​

Risk​

Fusion v3​

SOAR v3​

Examples​

Search for Open Playbook Alerts​

Update a Playbook Alert Status​

Get Domain Abuse Alert Detail​

Search Exposed Credentials by Domain​

Look Up Credentials for Specific Users​

Look Up Credentials by Login and Domain​

Search Credentials with Filters​

Get Actor Threat Map​

Search Threat Actors​

Resolve an Entity Name to RF ID​

Search Alerts by Status​

Add Entity to a Watch List​

Search Analyst Notes​

Enrich an IP via Connect v2​

Search for YARA/Sigma Detection Rules​

Bulk SOAR Enrichment​

Search Entity Links​

Get Risk History for Entities​

Bulk Vulnerability Playbook Alert Lookup​

Common Workflow Patterns​

Playbook Alert Triage Workflow​

Identity Exposure Investigation​

Entity-Driven Intelligence​

Threat Map Analysis​

Watch List Management​

IOC Enrichment via Connect v2​

Detection Rule Deployment​

SOAR Triage Pipeline​

Malware Analysis​

Troubleshooting​

Security Considerations​

Additional Resources​